High Severity BIND Vulnerability Advisory Issued

wiredmikey writes "The Internet Systems Consortium (ISC) and US-CERT have issued a high severity vulnerability warning, discovered by Neustar, which affects BIND, the most widely used DNS software on the Internet. Successful exploitation could enable attacker to cause Bind servers to stop processing all requests. According to the disclosure, 'When an authoritative server processes a successful IXFR transfer or a dynamic update, there is a small window of time during which the IXFR/update coupled with a query may cause a deadlock to occur. This deadlock will cause the server to stop processing all requests. A high query rate and/or a high update rate will increase the probability of this condition.'"

latest BIND not affected

[doperative]

"There have been no active exploits known, and versions 9.7.1-9.7.2-P3 versions of BIND are affected. US-CERT encourages users and administrators using the affected versions of BIND to upgrade to BIND 9.7.3 "

Re:latest BIND not affected

Just upgrade to tinydns/dnscache and forget about security bugs...

Re:latest BIND not affected

[Bacon+Bits]

That's because the latest BIND was released specifically to patch this vulnerability. They just didn't really tell anybody about the vulnerability until after 9.7.3 was released. Don't believe me?

CERT was notified at the end of January.
"Date Notified: 2011-01-24" [ http://www.kb.cert.org/vuls/id/559980 ]

The CVE was reserved in the middle of January.
"Assigned (20110111)" [ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0414 ]

Yet the release notes for 9.7.3 don't mention any fixes which would coincide with this vulnerability:
http://ftp.isc.org/isc/bind9/9.7.3/RELEASE-NOTES-BIND-9.7.3.html

Thanks, ISC, for patching a vulnerability a month after you found out about it and then telling us two weeks later that you did that. That's awesome security procedure there.

Re:latest BIND not affected

[Ethanol]

That's because the latest BIND was released specifically to patch this vulnerability. They just didn't really tell anybody about the vulnerability until after 9.7.3 was released.

That's not correct. The locking bug had already been fixed in 9.7.3b1, a month before it was found to be exploitable as a DoS. When we did find that out, we consulted with vendors and decided to continue with the releases in progress.

Re:latest BIND not affected

[Bacon+Bits]

I see, it was originally just a locking bug. That makes it easier to find a likely candidate in the Release Notes:
"Corrected a defect where a combination of dynamic updates and zone transfers incorrectly locked the in-memory zone database, causing named to freeze. [RT #22614]"

Even if I do believe you, why did you wait so long to notify the community of the DoS vulnerability?

Re:latest BIND not affected

[causality]

Just upgrade to tinydns/dnscache and forget about security bugs...

Yeah, this surprised me just about as much as an exploit for Sendmail.

In other unrelated news, users of Windows, IIS, and IE have more malware problems than users of OpenBSD.

Re:latest BIND not affected

We notified our forum members as soon as we understood the full scope of the issue, key operators/vendors the next day, and the general community one week later, as per our Security Disclosure Policy: http://www.isc.org/security-vulnerability-disclosure-policy.

Re:latest BIND not affected

[lshapiro]

Sorry, that was me, Larissa Shapiro, ISC product manager.

Re:latest BIND not affected

[jthill]

It can't be easy to provoke, was the bug found by audit?

Re:latest BIND not affected

So, BaconBits - are you going to publicly retract your statements impugning BIND's process?

You made some very harsh judgement, evidently without any research into backup said accusations - IMO, you owe an apology. [I'm posting AC since I don't want to be attacked publicly either, but I have NO association with BIND or any Linux development at all. I'm simply one who uses BIND and Linux servers. Really, I'm just a sysadmin.]

Re:latest BIND not affected

[pclminion]

Thanks, ISC, for patching a vulnerability a month after you found out about it and then telling us two weeks later that you did that

You know, I'm really tired of people who obviously don't write code saying crap like this. Fixing a subtle deadlock could quite realistically take a month. First, you need to figure out really why it happens. Then you need to figure out the CORRECT way to fix it, then you need to implement the fix, then you need to TEST the thing to make sure you didn't introduce anything ELSE that could cause a problem. If the bug was in an easy area of code, chances are it would have been found and fixed a long time ago. BIND has been around a long, long time. Anything left in there now is, by definition, hard to find and hard to fix.

Look folks, security bugs happen BECAUSE people whip out code without thinking and without testing. Now you ask for them to do exactly that? You need to get a grip on reality.

Re:latest BIND not affected

[afabbro]

You know, I'm really tired of people who obviously don't write code saying crap like this. Fixing a subtle deadlock could quite realistically take a month. First, you need to figure out really why it happens. Then you need to figure out the CORRECT way to fix it, then you need to implement the fix, then you need to TEST the thing to make sure you didn't introduce anything ELSE that could cause a problem. If the bug was in an easy area of code, chances are it would have been found and fixed a long time ago. BIND has been around a long, long time. Anything left in there now is, by definition, hard to find and hard to fix. Look folks, security bugs happen BECAUSE people whip out code without thinking and without testing. Now you ask for them to do exactly that? You need to get a grip on reality.

Just as you need to get a grip on your CAPS LOCK key.

Re:latest BIND not affected

[perbert]

Just upgrade to tinydns/dnscache and forget about security bugs...

Or to MaraDNS or powerDNS, with the same result, but no legacy DJB BS...

Re:latest BIND not affected

[Mashiki]

But...but...
Reality she's a harsh mistress. I don't like harsh...

Re:latest BIND not affected

[Bacon+Bits]

As a sysadmin I don't care about the timeliness of the fix as much as the timeliness of the disclosure. I care that nobody said anything about it so I couldn't mitigate the risk or be aware of the problem. They knew about it for six weeks and said nothing. Why? They released a new version that fixed the issue, and *still* didn't say anything for two weeks. ISC itself rated the vulnerability severity as "High". Is this how you should handle a high severity vulnerability?

It's not "OMG where is the fix." It's "dude why did you leave me completely in the dark so long?"

Re:latest BIND not affected

No, djbdns, not this insecure MaraDNS and powerDNS garbage!

Re:latest BIND not affected

[thogard]

Keep in mind that ISC runs a lot of very large name servers all over the world that are under constant DDOS attacks and they didn't see this in the wild. At this point, its a theoretical attack and there is a theatrical work around. Releasing the info too soon could have resulted in a real attack against a theatrical work around. I think they did the right thing considering if you had a DDOS problem, you can ask in a number of places and they would have told to you to try the work around.

Re:latest BIND not affected

[totally+bogus+dude]

its a theoretical attack and there is a theatrical work around

Presumably (hopefully?) involving Natalie Portman and hot grits..?

Re:latest BIND not affected

[Bacon+Bits]

Yes, when my systems are experiencing problems the first thing I think of doing is asking the developers if they have any workarounds for undisclosed vulnerabilities that would address my issue.

Re:latest BIND not affected

[jon3k]

You really need a public apology from a guy named "BaconBits" in the slashdot comments section? I wouldn't wipe my ass with a printout of his comment history. I think we can all just move on.

Re:latest BIND not affected

[doperative]

> That's because the latest BIND was released specifically to patch this vulnerability. They just didn't really tell anybody about the vulnerability until after 9.7.3 was released. Don't believe me?

Except they posted it on a publically accessable list ...

highest infant FATALITY vulnerability alert issued

never a better time to get connected? see you there?

Kill It

[jimmerz28]

The government doesn't need an "internet kill switch" when they can just exploit things like this.

I'm giving them way too much credit...

inb4

inb4 well-known /fag DNS-and-BIND

FreeBSD?

[CAIMLAS]

I wonder how long it'll be until FreeBSD rolls a security update out for this.

Re:FreeBSD?

It's OK, most FreeBSD users are not vulnerable, the current production release (8.1) uses bind 9.6.2, which is from before the vulnerability was introduced in the 9.7 series.

Only users who have independently installed the 9.7 package will have an issue.

Earlier versions?

[psyclone]

What about versions before 9.7.1? Looks like this vulnerability affects only Bind servers within the specific range: 9.7.1-9.7.2-P3

Let Me Ask a Question

[techsoldaten]

Let me ask a question, when alerts come out like this that explain a vulnerability, do they always state the problem the way it happens?

Like, if someone understood how to exploit this vulnerability, are they really going to shut down DNS services or could it be that there is a worse vulnerability underneath? For instance, could this actually be a call to patch something that allows for DNS spoof, where someone does not want the issue to have wide awareness?

Re:Let Me Ask a Question

[vlm]

Let me ask a question, when alerts come out like this that explain a vulnerability, do they always state the problem the way it happens?

Thankfully, yes, err, well, as far as they know at that time. I don't do IXFR on my authoritative or resolving bind servers so I simply don't care. Kind of hard to cause a deadlock during a tiny slice of a time in a process I don't run...

Like, if someone understood how to exploit this vulnerability, are they really going to shut down DNS services or could it be that there is a worse vulnerability underneath? For instance, could this actually be a call to patch something that allows for DNS spoof, where someone does not want the issue to have wide awareness?

Uh, no. At least not directly. According to

http://www.isc.org/software/bind/advisories/cve-2011-0414

the server simply stops responding. Usually deadlocks in any software freeze it up quite well rather than false data. Old data, maybe, at worst...

What happens to the rest of your security infrastructure when it stops getting DNS responses? Probably nothing, but someone whom tried really hard could make something like a syslog that wouldn't log if it cant log reverse DNS, so I guess you could brute force something while no one is watching, that is vulnerable to brute forcing (no rate limiting, weak enough to be brute forced, etc). Once they have access maybe they could set up some sort of spoofy thing.

Re:Many companies avoid using networked nameserver

[gpuk]

I'd hardly call hosts files obscure...

Also, restricting name resolution to host file only does not "defacto limit the webservers that employees may visit" as this file is never consulted if the user decides to access a webserver via its IP address.

Re:Many companies avoid using networked nameserver

[pipatron]

No, entries in the hosts-file doesn't make your computer into a nameserver. They do however override the system lookup so that you don't have to use a name server for this.

Re:Many companies avoid using networked nameserver

[gpuk]

I'd hardly call hosts files obscure...

Also, restricting name resolution to host file only does not "defacto limit the webservers that employees may visit" as this file is never consulted if the webserver is accessed via its IP address.

Re:Many companies avoid using networked nameserver

[Joce640k]

I'm pretty sure that's well known...

Re:Many companies avoid using networked nameserver

[skids]

This is not well known, but every computer connected to the Internet is capable of being its own nameserver.

This is in fact fairly well known among the people who need to know these things. Also the hosts file is no substitute for DNS. It cannot, for example, give you MX records, cannot perform round-robin load balancing, and even if the sync of the hosts file is very quick, is not a suitable way to deal with the fact that name to ip mappings change frequently. Anyone who set things up as described above would be committing malpractice.

not "high severity"

[Lord+Ender]

This sounds like a denial-of-service flaw. Such flaws are considered "low severity" in all but the rarest cases. A high-severity flaw would be one which either gives a hacker control of a service or access to sensitive information.

This is just one more in a long list of well-known ways anyone could knock a server offline.

Re:not "high severity"

[Leebert]

This sounds like a denial-of-service flaw. Such flaws are considered "low severity" in all but the rarest cases. A high-severity flaw would be one which either gives a hacker control of a service or access to sensitive information.

It depends entirely upon the requirements for availability. I agree that generally the A in the CIA triad is the least important, but not by any means always.

Imagine if this could be easily leveraged to shut down all DNS resolvers for, say, all of Comcast. Wouldn't you agree that it's probably a greater impact than, say, a single unimportant desktop somewhere in marketing being compromised by the Flash Of The Day vulnerability?

Thus is the black magic of IT risk management. :)

That said, my first thought when reading this headline was the same as yours.

Re:not "high severity"

[vlm]

Imagine if this could be easily leveraged to shut down all DNS resolvers for, say, all of Comcast.

Why would your resolvers every do an IXFR? That takes quite an imagination. Now your secondary authoritative servers might be knocked out if they allow IXFRs in addition to the "traditional" AXFR zone transfers.

Re:not "high severity"

[kangsterizer]

http://www.kb.cert.org/vuls/id/559980
Severity metric: 4.50 (on a scale from 0 to 180)

Sounds like not very high to me either, lol.

That said, it's a kinda serious vulnerability given that the Internet relies a lot on DNS and many servers are running BIND.

Then again, we should be running at least DNSSEC by now, and not provided by BIND, right? right?!

Re:not "high severity"

[Leebert]

"Imagine if". I was using a hypothetical to demonstrate a completely different point.

Re:not "high severity"

[wiredmikey]

The ISC and US-CERT have it ranked as "High Severity"

Re:not "high severity"

[Lord+Ender]

"High" and "Low" are relative. A high severity DNS flaw would be one that allows attackers to redirect all banking websites to a site they control, as an example. A low severity DNS flaw would be one that makes things not work for a little bit. Any botnet operator could take a DNS server offline anyway, with or without a flow. Low severity.

Re:not "high severity"

[Leebert]

"High" and "Low" are relative. A high severity DNS flaw would be...

With due respect to your tenure at Slashdot, I believe you're oversimplifying it, or at least not applying common risk management methodology.

Generally, when assessing the impact of a vulnerability, you're going to assess its impact to each of the three components of the security triad.

We admin/security types do generally consider impact to availability as being less of an issue, but my point is that it is situation dependent. The fact is, though, that this particular vulnerability (I believe, I haven't RTFA) is in fact a high impact to availability. It's probably low to confidentiality and integrity, but the *overall* impact taken as a high water mark of impact to each of the CIA, is high. If your own specific environment does not consider availability to be of importance, than your own risk assessment will take that into account and reduce the overall risk as appropriate.

I guess the reason I felt compelled to reply to the original post is because I think that in sysadmin world, there is less methodology and more gut reaction. That makes sense, but I'm trying to help raise awareness that there *are* methodologies which, for better or worse, at least help make sure everyone is using the same terminology.

Hopefully this clarifies my point.

Re:not "high severity"

[Lord+Ender]

With due respect to your tenure at Slashdot

[Facepalm] Clearly, you're just a troll with a silly statement like that. Of course, this should be obvious to anyone reading by now, but your responses are really just pedantic, pointless puffery. Broadly speaking, DoS flaws are low severity. And since this is a broad forum, "broadly speaking" is all we can reasonably hope for. We in the security world know that individual circumstances vary. That is so obvious that it goes without saying. So don't expect to get a gold star for pointing out the obvious.

Re:not "high severity"

[Leebert]

Clearly, you're just a troll with a silly statement like that.

No sir, my intention was to be disengaging by acknowledging that I was aware that I was talking to a person who probably would generally understand the principles about which I was speaking. I *do* recognize usernames on slashdot, and try my best to acknowledge people who have been around for a long time and generally contribute positively toward the discussion.

your responses are really just pedantic, pointless puffery. Broadly speaking, DoS flaws are low severity.

Then please, by all means, refute it with something other than assertions. Show me how a network-based, low access complexity, non-authenticated vulnerability with only complete availability impact will not score a CVSS v2 base score of 7.8. Or explain why that methodology is flawed (I probably will agree with you).

Because THAT is what some IT risk analyst is going to throw at someone if they parrot what you're saying, and their CVSS charts and graphs look a lot prettier than general unsupported rhetoric.

So don't expect to get a gold star for pointing out the obvious.

It may be obvious to YOU, but not everyone understands these things as a matter of course. I personally think it does a service to help people think more structured about these sorts of things. It took me years to learn, and I wish that people would have guided me.

But you have to admit that we've managed to spend the day off and on arguing over something as admittedly trivial as the title on a news article. Only Slashdot. :)

Re:not "high severity"

[marka63]

When you put the vulnerability into a CVSS calculator you get a score of 7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C) which is in the high range.
Yes, CVSS isn't perfect but that is what is being used. About the only wiggle room is on access complexity even that may be deemed low.
This is a race until you win attack.

Re:not "high severity"

Imagine if this could be easily leveraged to shut down all DNS resolvers for, say, all of Comcast.

Where's the problem?

Re:Many companies avoid using networked nameserver

[jijacob]

Hosts.txt isn't a well-known thing? I would categorize it as more of a known-but-inefficient thing, since you can typically do redirection and other stuff hosts.txt does at the firewall level, negating the need for some complex P2P setup.

not high severity

[Lord+Ender]

High severity threats are those that either disclose sensitive information or allow unauthorized control of a service or system. Denial of service vulnerabilities are almost universally considered low severity. This is just one more in a long list of known ways to DoS a system.

Re:not high severity

[assantisz]

I don't know why the article does not link to the original advisory but the ISC qualified this vulnerability with a severity level high.

Re:not high severity

[Bacon+Bits]

That's true, but the CERT advisory only lists the severity metric as 4.5. That's not out of 10. It's out of 180.
http://www.kb.cert.org/vuls/id/559980

ISC very well may use a different ranking scheme for vulnerabilities. DNS is required to have high availability, and this would severely impact that. ISC may rate it highly simply because the common usage scenarios for BIND make this more concerning.

Re:not high severity

[phantomcircuit]

http://tech.slashdot.org/comments.pl?sid=2008894&cid=35290818

DONT DO DAT

Re:not high severity

[wiredmikey]

Assantisz, the article does link to the ISC advisory. Are you are correct, they do list it as high severity.

Re:not high severity

[Lord+Ender]

Yes, I posted twice. But only because slashdot had an outage during which comments were not showing up. Apparently slashdot was queuing up posts but not displaying them until later for a while earlier today. Don't blame me for slashdot's bug.

Re:not high severity

On a positive note public name servers should not be allowing zone transfers or dynamic dns.

Transfers can get missed because unless it is explicitly stated in the configuration they are by default open.

Re:not high severity

High severity threats are those that either disclose sensitive information or allow unauthorized control of a service or system. Denial of service vulnerabilities are almost universally considered low severity. This is just one more in a long list of known ways to DoS a system.

How many times are you going to repost this comment?

Anyhow, this has nothing to do with DoS'ing a system. It's about DoS'ing a service, which if DoS'd will effectively shut down internet access for any users who rely on that service. Most ISP's run their DNS as a single synchronized service which operates across multiple servers in different regions. DOS'ing any given server won't do anything, but this attack would still have taken the whole thing down. Other services running on the same server would not be impacted, which means this would be an AWESOME way to poison the DNS of an entire ISP's user base all at once. Step 1 shut down their DNS using this exploit Step2 start serving out bogus DNS repsonses. Profit in all sorts of ways.

Re:Many companies avoid using networked nameserver

[Albanach]

Seriously? What companies avoid nameservers?

Why would you believe your P2P software is less prone to vulnerabilities than BIND?

but it also permits the company to defacto limit the webservers that employees may visit.

Perhaps, If your company employs people who cannot type in an IP address. Nonetheless, I can think of many much better ways to limit employee internet access.

All software has vulnerabilities. If your nameserver has an issue, you upgrade BIND and you're done. If your P2P software on every desktop has a vulnerability, you now have to update software on every desktop. Assuming, that is, that the vulnerability is ever publicly disclosed.

Wow.

[DavidTC]

Who could have foreseen such a problem in such modern and well-crafted software.

spamming my startup

Just an FYI - we use PowerDNS instead of Bind: www.dnshat.com

Re:spamming my startup

[Tanktalus]

Riiight... so you're saying we're better off using younger software than more mature software because, let me see if I got this right, your theory is that the new software has fewer bugs than the mature software?

Now, if you find PowerDNS has more features, easier to set up, what have you, that's fine - that's the purpose of new software attempting to displace old and not the topic here. It's not often that new software has fewer bugs (including security holes) than more mature software.

Neverbind the summary

This was bound to happen...

Re:Many companies avoid using networked nameserver

[isopropanol]

Also severely limits who you can send email to. And is excessively cumbersome. Easier to just run your own BIND and not allow connections from outside.

Appropriate

My footer quote reads:

> You will not censor me through bug terrorism. -- James Troup

djbdns

[roman_mir]

djbdns - if you want a secure one.

Re:djbdns

Hilarious. Really. I lol'd.

Re:djbdns

[roman_mir]

If you think it's worth a lol, then do you think you can make a grand in prize money?

Re:djbdns

35000 computers under a spread network using 4 small boxes P3 yet.. DJBDNS. Just after read this I do remember we have DNS. almost 2 years we didnt touch the side of this machines.

When this happens with BIND it's GOOD for who use some REALLY USEFUL AND SECURE software’s.LIKE DJBDNS. Ten we start to look if a secure release, or a new version come out. Luck US. that nothing new. No need to bug the machines... Let them more 2 years there. Unti next OPEN BUGBIND FLAW. TO remeber US that MAYBE can be necessary Look if something news on DJBDNS.

It''s incredible still peoples using BIND.

Re:djbdns

That crap not only does not follow the current DNS specifications, it is also incapable of dealing with DNSSEC.

If you don't want BIND, you have unbound and nsd. djbdns is not even a valid choice anymore.

Re:djbdns

[Asm-Coder]

He could be referring to the lack of DNSSEC. I understand DJB's position on DNSSEC, and he is welcome to not implement it, but since DNSSEC is being adopted as the secure dns system, those of us wishing to use it are no longer able to use djbdns.
Security is more than just preventing privileged escalation and taking control of dns systems. There is risk of spoofing and cache poisoning, (which djbdns has a good record with) which DNSSEC aims to correct, DOS (both as described in this article and DDOS) as well as other attacks.

DJB will not pay out for DOS attacks, as per your link. He explains that the dns system is too fragile, (probably true) and that djbdns is less at risk than BIND. (almost certainly true) However, I have to wonder, if this article were about djbdns, would the finder be paid? There is most certainly a problem with the code, and while a DOS is not as serious as say a cache poisoning, it still has the possibility to be a major problem, and this DOS is not predicated on 'drowning' your target with traffic.

Re:djbdns

[Just+Some+Guy]

if you want a secure one.

If you want it to be really secure, you'd just turn the server off. If you want secure and functional, isn't even an option.

I'll say it: djbdns is the least secure popular DNS daemon. Its fatal flaw is that it only implements the easiest parts of DNS. Maybe it's exceedingly secure at handling that stuff. Who knows? Who cares? It leaves all the hard part of DNS administration to be re-implemented at every single site. For example, to the best of my knowledge, djbdns still doesn't implement IXFRs. The security vulnerability:

BIND method for dynamic DNS

1. Configure a TSIG key and install it on the master and slave servers.
2. Tell the master server to send notifications to the slaves.
3. Slap your hands together in "job well done" manner and go drink a beer.

djbdns method for dynamic DNS

1. Roll out some half-assed rsync-based implementation to send updates from the master to the slaves.
2. Don't forget to use SSH!
3. Don't forget to use public key authentication!
4. Don't forget to use empty passphrases, or implement some passphrase-caching mechanism!
5. Hey, maybe this would be a good time to spend a week learning about Kerberos!
6. Don't forget to lock down the 'namedaemon' accounts on the slaves so that they can only run rsync and not get full shell privileges!
7. Don't forget to lock down rsync so that it can't write outside djbdns's non-standard configuration directories!
8. Figure out a way to make it interact with your outsourced slave DNS systems, all of which are running BIND or something compatible with it.
9. Figure out whether to used time-based or delta-size-based algorithms to decide how often to trigger your proprietary sync system.
10. Explain to your boss why you spent two weeks dicking around with something that didn't have to be dicked around with had you picked something less bizarre.

djbdns pretends to be secure by ignoring all the things that make DNS "interesting". That's like writing a computer language with one instruction - say "subtract, branch negative", making that one instruction very robust, then making fun of people who use "insecure languages" (which happens to be everything but yours, as you loudly explain to everyone who will listen). No thanks.

Re:djbdns

[roman_mir]

Hey, you need interesting? You got it. It's this story.

My server is not interesting. It's boring like a fuck.

Re:djbdns

[Red+Midnight]

What a load of bullshit.

I don't know about you, I just want to sleep at night not worrying about any exploit du jour, and that definitely includes BIND.

Let me tell you how to update djbdns fast:

1. ssh to your slave.
2. scp your 'data' file.
3. run 'make'

You're seriously going to be a BIND apologist because you can't take 30 seconds to ssh/scp a file?

If you find yourself making DNS changes so often that this is a problem, take the time to automate it and focus on what you're doing, not going down some shit-happy path towards Kerberos enlightenment. Or figure out why you have to keep changing DNS records so often and come up with a better method.

I don't give a rat's ass about all the extra bells and whistles that BIND offers. If you don't need 'em, leave 'em. Simplicity is good for security. I just want my servers to answer queries, and not get DoS or hacked.

djbdns users are laughing at you right now. Yet another BIND problem, whether it's serious or not, and you're all in a tizzy to get the patch. How many times have you walked this path in the last 9 years? It's > 0. How many times have djbdns users worried about the latest patch for the latest problem? Exactly zero.

As for your last point, explaining to your boss, try this one:

10. Explain to your boss that you're not working on 'your project' because you're busy pissing around patching software that has a piss-poor security track record in a critical role. And that you must always be on the watch for patches. Then performing the patches/upgrading the software. Lather, rinse, repeat.

I guarantee that you spend more time patching your BIND crap (and worrying about it) than I spend scp'ing a file.

Sleep well.

Re:djbdns

[thogard]

The most interesting bit with the whole 'X is more secure and the old dinosaur programs" is that most of the new rewrites have the same deadlock or race conditions but they never get fixed. Sendmail and bind have plenty of OS work arounds in their code because they are needed to keep the whole system secure.

Re:djbdns

DNSCurve > DNSSEC, and that's DJB's idea, not ISC's. DNSSEC is a piss-poor design.

Re:djbdns

[Red+Midnight]

The most interesting bit with the whole 'X is more secure and the old dinosaur programs" is that most of the new rewrites have the same deadlock or race conditions but they never get fixed. Sendmail and bind have plenty of OS work arounds in their code because they are needed to keep the whole system secure.

Joel Spolsky (the "Joel on Software" guy) advocates never throwing out the code and starting from scratch. Perhaps that's true in most cases, but not with BIND and any BIND derivatives.

IIRC the ISC tried that with BIND 9. Supposedly a rewrite, but I've read opinions that they imported a lot of the old code anyway. It doesn't really matter.

Sometimes you have to lose the old mindset and start with fresh eyes and a new attitude. Go back to basics and follow the KISS rule. DJB, whether you like him or not, did just that.

Part of the problem holding people back is the attitude that they need to retain all the old obscure features. I'm not interested in having a supposedly 'secure' way of transferring zone data when it becomes another vector for attack. I'll take good old ssh/scp, thanks.

Another BIND example I vaguely remember is it had lots of cool ways of logging information. Channels I think it's called. Wow, I could log various events (even security!) to different channels and different files... whatever. Having a secure DNS server in the first place removes the need for a lot of that crap. And seriously, do people actually view their logs to see who is querying their DNS server for what? It's masturbation that ranks up there with caring about who pinged you.

Whether you choose djbdns or an alternative doesn't matter. Just get something with a good security track record that moves away from the old (broken) model. Not to mention using software from a company, ISC, that has some bizarre disclosure policy of revealing fixes to paying clients first, then to the great unwashed 30 days later. I don't know if they still do that, but c'mon, that's a first clue there is something seriously wrong.

I honestly think BIND users are seriously misguided. How many times do you have to poke a stick in your eye before you stop? It was Marcus Ranum that first wrote about the idea of "not playing catch-up" with patches many years ago, and it's not just BIND he or I are referring to.

Re:djbdns

Irrelevant. DNSSEC has been chosen as the standard. djbdns must either implement it, or become obsolete.

Re:djbdns

[Just+Some+Guy]

If you find yourself making DNS changes so often that this is a problem, take the time to automate it and focus on what you're doing, not going down some shit-happy path towards Kerberos enlightenment. Or figure out why you have to keep changing DNS records so often and come up with a better method.

Perhaps you've heard of IPv6 (DJB hasn't, but maybe you're quicker on the uptake)? Suppose you run a company with 10,000 desktops and servers, all neatly categorized and named in your IPv4 DNS zones. Now you've decided to roll out IPv6 on that same network, and want each host's name to resolve with an A record and an AAAA record. The easiest way to do that is to let each machine update DNS with its own hostname and IP - subject to the proper restrictions. Move a machine to a different subnet? No problem: it's still reachable by name.

If you truly can't imagine a reason why you'd want to update DNS records continually, you have little imagination.

And I think I've already made my point about the relative easy of updating a nameserver that supports IXFR (which is pretty much any server that isn't djbdns) versus the lone stooge. Again, it's a lot easier to come up with one good sync system that everyone uses rather than expect each administrator to come up with his own perfect, efficient, secure replacement.

Re:djbdns

Perhaps you've heard of IPv6 (DJB hasn't, but maybe you're quicker on the uptake)?

http://cr.yp.to/djbdns/ipv6mess.html

Re:djbdns

Irrelevant. DNSSEC has been chosen as the standard. djbdns must either implement it, or become obsolete.

Relevant to those who know better - they're simply not going to use shitty DNS amplification DNSSEC.

Re:djbdns

[Red+Midnight]

Perhaps you've heard of IPv6 [snip]

Perhaps you've heard of turd polishing?

Find something that supports IPv6 that isn't a security nightmare. They exist. Isn't that your job as a netadmin, anyway? It's because of lazy-assed admins that keep following turds like BIND -- religiously -- that it remains #1 in market share when it should have been kicked to the curb long ago for being the bloated, slow dog that it is.

And I think I've already made my point about the relative easy[sic] [snip]

Security isn't always easy. You've made your deal with devil. Tell me all about it when he calls the tune and your BIND box gets rooted on a weekend or while you're on vacation.

Even if you *did* have to do something custom for a BIND alternative, you only have to do it once and never worry about it again. You make it sound like you have to write the daemon yourself from scratch. Lazy.

Enjoy your patch cycle and watching over your shoulder while I enjoy restful sleep.

Re:djbdns

[marka63]

If one was just wanting to secure the authoritative to recursive server connection DNSCurve will work for that. DNSSEC on the other hand secures the entire path right into the application. Authoritative server -> [caching server] -> caching server -> stub resolver -> application.

Now when you can start up your laptop on a foreign network and are able to trust that the answers from the caching DNS server handed out by DHCP are good with DNSCurve come back. In the meantime DNSSEC does allow you to do that today.

Re:djbdns

I think you miss the point. DNS is about serving up results to queries. All the things you think make it 'interesting' are design flaws. Avoiding getting bogged down in the design flaws in a spec when you don't need to is correct. This is why FTP servers don't support PORT to other hosts any more, even though it's in the spec.

The problem with DNS is that the Bind authors have been intimately involved with the development of DNS, and are reluctant to admit that they've done an incompetent and hideously ugly job of it.

Re:djbdns

Now when you can start up your laptop on a foreign network and are able to trust that the answers from the caching DNS server handed out by DHCP are good with DNSCurve come back. In the meantime DNSSEC does allow you to do that today.

You'll be able to do just that. DNSCurve was designed specifically to thwart forgeries, without DNSSEC's amplification vulnerability.

Re:djbdns

[Onymous+Coward]

Why are you so mad at DJB or djbdns?

djbdns comes with AXFR tools, maybe you hadn't heard? And really, using rsync and SSH aren't that hard?

Anyway, I think a lot of people are happy with "uninteresting" DNS. It's functional enough, it seems: http://mydns.bboy.net./survey/

Is there any distro that has this vulnerability?

[jbrax]

According to RHEL CVE database RH distros are not vulnerable. "This issue did not affect the versions of bind as shipped with Red Hat Enterprise Linux 4, 5, or 6."

Re:Many companies avoid using networked nameserver

[Bacon+Bits]

Hosts is old. It predates DNS, and is one of the reasons for DNS. DNS (and WINS, technically) were developed because maintenance of the hosts file across a network of computers is too complex. Updates would be slow, insecure, inconsistent and unreliable, particularly if you use DHCP on your network instead of static addressing (which everybody with a brain does on a non-trivial network). Cache poisoning would be a constant problem. Nevermind that all the hosts file does is translate names to IP addresses, while DNS does much more than that.

So, yes, if you're willing to sacrifice ease of administration, security, functionality, performance, and reliability, you can absolutely revert to distributed hosts files over DNS.

Re:Many companies avoid using networked nameserver

[i.r.id10t]

Most of what I see hosts files used for now is to "null route" (direct to 0.0.0.0) known bad hosts.

I do the same on my computers, but instead of "known bad" hosts I block various ad servers

Re:Many companies avoid using networked nameserver

[geogob]

Now I really wonder... are you someone totally incompetent trying to post as a windows admin or just an elaborate troll
Because I really don't see the point to try to push the usage of host files in this community (or any community, for that matter - especially as an alternative to DNS).

Re:Maintenance on networks = easy (logon script) &

yeah.. until your hosts file is a couple hundred kB. flat text files don't scale well.

Re:Many companies avoid using networked nameserver

[Bacon+Bits]

Yeah, a lot of anti-malware software does this. Spybot Search & Destroy adds about 15,000 entires to hosts that point to 127.0.0.1, which might fail safer than a null route. It amounts to the same thing.

He made some minor mistakes, I corrected him so...

"Now I really wonder... are you someone totally incompetent trying to post as a windows admin or just an elaborate troll" - by geogob (569250) on Wednesday February 23, @12:22PM (#35291486)

Take it easy man, no need to insult him. He's trying & he really isn't THAT "far off base" on what he noted!

HOWEVER:

You don't need P2P to distribute HOSTS files as he stated (logon scripts work nicely here)

&

It's not "hosts.txt" as he noted, but hosts (no extension).

---

"I really don't see the point to try to push the usage of host files in this community (or any community, for that matter - especially as an alternative to DNS)." - by geogob (569250) on Wednesday February 23, @12:22PM (#35291486)

I beg to differ, especially In cases where DNS has bugs or is misdirect/redirect "poisoned"? HOSTS ARE AN EXCELLENT SUPPLEMENT! Especially for SECURITY vs. redirect/misdirect poisonings of DNS records!!!!

HOSTS can also get you more speed than using external remote DNS servers, & by blocking out adbanners too! You can DOUBLE YOUR SPEED online this way, try it yourself & see!

AND??

HOSTS can get you more security & anonymity to a degree even (vs. DNS request logs even), & security vs. KNOWN bad sites/servers/host-domain names as well, by "blacklist blocking" them out.

APK

P.S.=> If you are not aware of those things? Then, perhaps, you shouldn't have ridiculed the ac that posted this here... he was "off" on a few things I noted above, but, not entirely in principal... apk

Re:Many companies avoid using networked nameserver

[IT.luddite]

return to ARPAnet? Are you MAD?!?! replace the hierarchical DNS structure w/ P2P filesharing to avoid a vulnerability? Are you INSANE?!?! Sure, professional consultants may understand that alternatives exist for several key infrastructure services (oooh let's get rid of RIP/EIGRP/BGP/etc w/ static routes. It's more secure and that means its more reliable!). Hopefully they understand the issues w/ NOT utilizing it and the ramifications to operational costs to maintain it as well as the implications to reliability. End of the day... you're CRAZY!

Crazy 2 fix a DNS error, & go faster, w/ HOSTS

"replace the hierarchical DNS structure w/ P2P filesharing to avoid a vulnerability?... End of the day... you're CRAZY! - by IT.luddite (1633703) on Wednesday February 23, @12:52PM (#35291784)

To update a HOSTS file, all you need is a LOGON script... for starters, & a P2P method is rather "overkill" (I agree here).

However: TO OFFSET & IMMUNIZE ONE'S SELF vs. DNS POISONING of DNS records? Hosts work...

I personally don't think one should REPLACE DNS with HOSTS, but rather supplement DNS (vs. redirect/misdirects like this one i.e. DNS poisonings, & to GO FASTER TOO!)

I use HOSTS to block out known malicious sites (936,000++ here & counting, updated by the MINUTE no less here from many reputable & reliable sources) and adbanners too.

Doing the last paragraph? I make a DSL connection seem like FIOS, because I am not calling out to remote DNS servers (roundtrip there is, minimum, 30-60ms & that's longer than local file access of a HOSTS file, especially once its cached into memory).

In this case though? HOSTS make sense, as they can proof you vs. such things or even sites going down (when SECUNIA.COM was hit this way? I was reaching it when MOST of the internet, couldn't... how/why?? HOSTS hardcode of secunia's IPAddress-to-Hosts/Domain Name for them!)

APK

Re:Some of your points = moot to most people &

[djdanlib]

I am not one of the ACs in this thread. That being said, I have some background and experience in network administration in environments from SOHO to global enterprises.

Now, please detail how you'd set up an automatic and redundant P2P distribution network for a HOSTS file including your mechanism for securely updating said HOSTS file from a location of your choosing, and explain how your solution is more efficient than your company's infrastructure's DNS systems. If you allow updates from anywhere other than a central location, what happens when malware on a personal computer alters the HOSTS file - does it cause an erroneous update to be pushed out to the group? Can you ever tell that the one computer is stale? Would you push the updates on demand only, or every X minutes/days?

You're clearly talking about a business use of some sort here. Have you done this in a business environment? How large? How did you convince them to allow you to override DNS with myriad HOSTS files? Have improvements in their network infrastructure superceded your solution, perhaps without your knowledge?

The only benefit to having a HOSTS file distribution like that might be that it could be distributed faster than your DNS can replicate changes via a push or pull mechanism, although in a modern enterprise environment DNS changes should be able to propagate in minutes if not seconds.

Once a system is removed from that HOSTS file distribution, or the distribution fails because a server dies or a network link is broken temporarily, or a user does something that causes their personal machine to stop receiving changes, then you have stale HOSTS files everywhere conflicting with your DNS. How do you propose to clean that mess up?

DNS should at least be set up such that (in no particular order):
1) It is very redundant (multi-homed) and thus robust/reliable
2) Administrators can control it and add/alter/remove records
3) Replication is fast
4) The source of changes can be verified or at least identified
5) Poisoned updates from the untrusted wilds can be rolled back and audited once they have been identified

How often do you have significant DNS bugs whose actual (not theoretical) impact and resolution outweighs the implementation cost (time and money) of your custom HOSTS distribution solution? I propose that this scenario does not exist, but someone has created this alternate solution "just in case" which just smacks of the 1980s rather than learning how to correctly administer their DNS infrastructure. Either that, or someone is upset because they weren't permitted to alter the corporate DNS the way they wanted / anonymously, and became the squeaky wheel and pitched their solution to execs in the business who don't know the difference between a CPU and a chassis. (Nor should they have to, it's not their job.) These are possibilities, perhaps not accurate. However: None of these are acceptable for a network administrator. All network admins should be seeking ways to improve their DNS setup, staying on top of the state of the art, and using HOSTS files *only* when appropriate.

HOSTS files do have uses.
* Null-routing a server that's been causing some isolated issue, such as an ad server or some other server that your software times out waiting for; Also, null-routing a server to prevent a new software package you're testing/developing from reaching a production server
* Rerouting a name to your local development environment while debugging or developing software
* Guarantee resolution of key server names on a portable demo workstation that often finds itself on different private networks

I think you need to chill out a little bit, regardless. There's entirely too much angry excitement in this thread, and there's a lot of arguments that seem to stem from personal experiences with isolated situations from the distant past that basically never happen in a properly configured environment, and don't cause the kind of disaster that they are imagined to cause. Let's try to stay calm, civil and professional on a public technology website.

Can't you read? I wouldn't USE P2P to update HOSTS

Now, please detail how you'd set up an automatic and redundant P2P distribution network for a HOSTS file including your mechanism for securely updating said HOSTS file from a location of your choosing, and explain how your solution is more efficient than your company's infrastructure's DNS systems" - by djdanlib (732853) on Wednesday February 23, @01:17PM (#35292032) Homepage

I am not the OP/parent here, I am APK (I post as AC here all the time & "sign off" @ the termination of my posts as "APK", so you know). You should look thru my other replies here, because you're now sitting there with egg on your face accusing me of something I never said, & in fact, something I disagree with myself (using P2P to update HOSTS). Logon scripts work for that, easily!

You have me confused with the other fellow... I update HOSTS on LAN/WAN setups using logon scripts!

APK

P.S.=> If you'd have read PROPERLY? You'd see that I recommended using Logon Scripts for HOSTS files updates... & yes, I have done this in ENTERPRISE class scenarios with 100's of users in fact! apk

BIND code used in other software?

[djdanlib]

Does anyone know which DNS servers are either derived from or just repackaged BIND? I haven't been able to find this information anywhere.

Re:BIND code used in other software?

[Red+Midnight]

Hopefully you'd use that information for what software to *avoid*.

Re:Can't you read? I wouldn't USE P2P to update HO

[djdanlib]

I addressed my post incorrectly. I was replying to the thread as a whole, which was not correctly conveyed.

Logon scripts that copy from where?

Still, it wouldn't kill you to be civil.

I am being civil man, just telling truth

"I addressed my post incorrectly. I was replying to the thread as a whole, which was not correctly conveyed." - by djdanlib (732853) on Wednesday February 23, @01:32PM (#35292166) Homepage

Fair enough... try not do it again I suppose! LOL, that made you look pretty poorly, but fair enough.

(Again, stressing it, as I did to others here: Logon scripts can do the job updating a HOSTS file... which work vs. DNS poisoning redirectes bigtime, & are easily updated + distributed, via logon scripts (when it matters most, when a user signs onto a machine to use it)).

APK

P.S.=>

"Logon scripts that copy from where?" - by djdanlib (732853) on Wednesday February 23, @01:32PM (#35292166) Homepage

From your fastest server I suppose (that's how I went about it in LAN/WAN scenarios)... OR, there ARE other methods, other than logon scripts!

E.G.-> See MVPS.ORG (they make a pretty "famous" HOSTS file, much smaller & less comprehensive than mine, but well known).

They have a tool for it (I built one myself years before it in fact, but I use it only for my personal uses, APK Hosts File Grinder 4.0++)...

Anyhow/anyways - See this page:

http://www.mvps.org/winhelp2002/hosts.htm

Look for "HOSTSMAN" there...

I.E.-> it is capable of doing remote HOSTS file updates in fact, & from a VERY "reputable & reliable" source, mvps.org!

---

"Still, it wouldn't kill you to be civil.." - by djdanlib (732853) on Wednesday February 23, @01:32PM (#35292166) Homepage

I am, per my subject-line...

I only stated fact when I said you're sitting there with "egg on your face" accusing me of stating I was using P2P setups to update HOSTS files is all... because I never said it!

Fact is, the post you replied to of mine? Even has me SAYING I used logon scripts to update hosts in networked environs! You "skimmed over" that... fact! apk

Re:Can't you read? I wouldn't USE P2P to update HO

Do not get in Internet argument with APK he's really volatile and might issue you a standing death threat over it:

http://forums.techpowerup.com/showthread.php?p=283463#post283463

Distinct posting style especially key giveaway P.S.=> indicates this is same APK: http://forums.techpowerup.com/search.php?searchid=13405991

Beware the investigative powers of the anonymous Internet, and don't post thing publicly you wouldn't want us to find...!!!

Not same AC here, but here goes... apk

"Seriously? What companies avoid nameservers?" - by Albanach (527650) on Wednesday February 23, @11:14AM (#35290864) Homepage

Uhm, there ARE "rogue DNS servers" out there, & ones that malware makers themselves actually use... & what's a way to block them out? Hosts is 1 possible.

---

FAST FLUX DNS MALWARE TECHNIQUE IN A NUTSHELL:

http://en.wikipedia.org/wiki/Fast_flux

---

Iirc, "fast-fluxing" is one method that involves DNS & rogue servers, & malware makers use it... So, that said?

YOU MAY WISH TO "LOOK INTO IT", yourself...

---

"Perhaps, If your company employs people who cannot type in an IP address." - by Albanach (527650) on Wednesday February 23, @11:14AM (#35290864) Homepage

LMAO, hey man - there IS "plenty of THAT, 'going around'" too, & YOU KNOW IT! Lol... some folks just do NOT "get into being geeks" is all.

---

"Nonetheless, I can think of many much better ways to limit employee internet access." - by Albanach (527650) on Wednesday February 23, @11:14AM (#35290864) Homepage

Hosts work for it, nonetheless, & especially in cases where the DNS records are false/erroneous/hijacked... as they are in this case, & many others the past decade or so now.

APK

P.S.=> Hosts files are an EXCELLENT security AND SPEED supplement to DNS servers, but they're not really a GOOD SOLID FULL replacement...

HOWEVER: Using HOSTS files to:

1.) Block out KNOWN BAD SITES/SERVERS/HOSTS-DOMAINS, is good for security

2.) Blocking adbanners is also good for security (since they've been hijacked quite a lot the past few years) AND SPEED too (e.g./i.e. - I make a DSL connection behave like FIOS almost, on the web @ least this way)

3.) HOSTS aid anonymity (avoiding DNS request logs, which you'd *think* DNS server admins might like, since it "lessens the load" on DNS servers!)... apk

Re:Many companies avoid using networked nameserver

[mcneely.mike]

I'd hardly call hosts files obscure...

Tell that to my wife (and the billions of windows users who starts to shake and cough just like the old man in that book by Nabakov) everytime i say "Why don't you just open another tab instead of going back and forth between web pages?"
Her response is, "I don't know what you mean!"

Hey, Pete

Pete, you're a troll and a moron. You made a complete ass of yourself here and you continure to do so in this forum.

Why do they host 2 of my wares then?

If I am "so bad"? Then why does TechPowerUp still host my software there then??

E.G. #1:

APK Registry Cleaning Engine 2002++ SR-7:

http://www.techpowerup.com/downloads/389/APK_Registry_Cleaning_Engine_2002++_SR-7_.html

E.G. #2:

APK Matrix ScreenSaver:

http://www.techpowerup.com/downloads/390/APK_Matrix_ScreenSaver.html

?

(iirc, they're even MORE DOWNLOADED in the categories they're in, than WinZip there even!)

Plus, anyone can sign off as anyone... & for all I know? Someone impersonated me, yet again, there (like they have here, many times, or at arstechnica where they did so as well & got caught in it (Jeremy Reimer specifically)).

APK

P.S.=> SO, you can TRY to go "off topic" & try to discredit me, but you're not doing well @ it... In fact, I've noted that when folks have to go "off topic" in replies?? They KNOW they've lost the debate... apk

Re:Why do they host 2 of my wares then?

[djdanlib]

Ugh, there are some bored forum trolls and they are out in force today. It looks like they did a drive-by on our conversation. Either that, or someone involved in that forum happened across this. If you're trying to say it was me trying to discredit you... how do I know it wasn't you setting up that accusation? I don't know. Whatever the case, I don't especially care for it.

I followed those links and guess what I see there... if that's you, you tend to know what you're talking about, although you get more impassioned than other people might. (See, if you weren't posting AC, I might have been able to do that with your Slashdot comments.) Looks like the troll backfired, didn't it? If it's not you, they did an excellent job impersonating you and making you look good up to the end, and you should probably do some damage control. If it is you, then you should own up to your mistakes and move on.

All I ever wanted was to say "there are better ways to do what you guys are talking about than dumping hosts files everywhere" and see if you'd thought of something I hadn't, and I was hoping the person you were replying to would get on board as well. It's clear that you're not in this for an exchange of ideas, so I'm not going to participate any further in this thread that's devolving into a flame war / troll-a-thon. It's a shame when Slashdot turns into this sort of mess. Better luck next time!

Are you on topic, troll? Ty Tymkovich says HI

"Pete, you're a troll and a moron. You made a complete ass of yourself here and you continure to do so in this forum." - by Anonymous Coward on Wednesday February 23, @02:04PM (#35292568)

Since you're off topic & trolling me? What's good for the goose, is good for the gander... here we go, tit for tat:

Thor SCHMUCK? LOL, tell him that his buddy Ty Tymkovich says hello... ok??

(Gee, I just WONDER (not) who sent Ty Thor's way... lol!)

$5,000 Thor SCHMUCK got absolutely SUCKERED for by Good Ole' Ty (someone should nominate him for sainthood imo, lol), after Thor libelled myself?

Serves him right!

APK

P.S.=> You ought to tell Thor SCHMUCK to tell his Sis to keep her legs together too... she's NOT good at that from what I see (& only THOR calls me "Pete" so, it doesn't take a brain to see you're he)... apk

Re:Are you on topic, troll? Ty Tymkovich says HI

Gone off your meds again, Pete? Your 76 yr old mom/roommate can't see to get the colors right? You can always tell when Alexander Peter Kolwalski has gone off his Depakote and Lithium.

The Ty Tymkovich part "get to you"? LMAO!

See subject-line, lol, and tell your sister to keep her legs together Thor (there'd be 1 less fatherless bastard out there, you know? It's not the kid's fault either... that's the SAD part, because I think kids are 1 of the FEW redeeming features of humanity, especially little kids. However, IRRESPONSIBLE ADULTS? Not so!).

Ty, listen: Next time you wonder how Ty Tymkovich got a piece of you, for $5,000? DON'T THINK *TOO* LONG... lol!

I don't know WHERE this "roommate" thing came from, or my Mom, but I own my own home, & have rental properties too... but, to each his own!

Lastly, I'll tell you 1 thing: You seem to know which meds to take... is this the "voice of experience" on YOUR end, taking them, yourself? Sounds it... try get on topic, you might sound more credible.

APK

P.S.=> As far as the rest of your attempting to troll me? Please - keep your "sidewalk surgeon/quack" diagnosis-prognosis to yourself... ok? Until you get your PHD in Psychiatry, and a license to practice it, and you have done a formal examination of myself in a professional environs??? Please... your own "delusions of grandeur" have gotten the BEST of you (like Ty Tymkovich did, lol)... because you're NO psychiatrist! apk

Re:The Ty Tymkovich part "get to you"? LMAO!

Nope, not Thor. Judging by how he didn't respond to your idiotic statements at the end of his column I would guess that he's far too busy to deal with someone who's clearly taking trolling to a professional level. Maybe if you'd work as hard at your software as you do at being a douche bag then your (cr)apps wouldn't have ended up on the malware lists.

Re:The Ty Tymkovich part "get to you"? LMAO!

BTW, I am an Internet PSEUDODOCTOLOGIST with my PHD from the Arsclan University and I'm fully qualified to diagnose you as BAT SHIT crazy. Though I have a feeling I'm not the only one who has told you that, am I? ( =

Re:Many companies avoid using networked nameserver

Ugh, it's the Hosts File troll again.

That there are, ignore them... apk

"if that's you, you tend to know what you're talking about" - by djdanlib (732853) on Wednesday February 23, @02:33PM (#35292844) Homepage

Thank you. We DO try! I didn't follow the links posted, because it's obivously trolls around here (as you yourself noted).

---

"It's clear that you're not in this for an exchange of ideas" - by djdanlib (732853) on Wednesday February 23, @02:33PM (#35292844) Homepage

Why, sure I am... I showed you 2 diff. ways to remotely update a HOSTS file, reliably & from reputable sources!

MVPS.ORG (manually, or via the HOSTSMAN program)

or

Using logon scripts

I just wanted to make SURE you knew I wasn't the OP/parent poster that noted using P2P was his way of updating a HOSTS file (but, it's NOT like THAT's "undoable" either... it's just that using logon scripts on a LAN/WAN is better, imo @ least).

---

"Ugh, there are some bored forum trolls and they are out in force today." - by djdanlib (732853) on Wednesday February 23, @02:33PM (#35292844) Homepage

LOL, yes there are... I get this regularly, I am QUITE used to it! The problem with some of these wannabe "geeks" is that they cannot handle it when they're off/wrong... & they follow + stalk you online, endlessly.

I don't mind it though, not really... why? Well - I just shoot them down with facts, everytime, & usually it's VERY easy to do (as I usually say, that pisses them off to NO end?? "too, Too, TOO EASY - just '2EZ'")

---

" It's a shame when Slashdot turns into this" - by djdanlib (732853) on Wednesday February 23, @02:33PM (#35292844) Homepage

I agree, but, don't let it bother you... then again, I am used to being trolled, perhaps you are not (& I was not trolling you - I merely pointed out you made a mistake saying I used P2P to update hosts, & I showed you I do not )

APK

P.S.=>

"although you get more impassioned than other people might." - by djdanlib (732853) on Wednesday February 23, @02:33PM (#35292844) Homepage

Sometimes I do, sometimes I don't... it mostly depends if I am attacked first is all, then I come out "all guns blazing"... Hey - only human here & defending myself is all. I have every right to that much.

However - I have been impersonated online, many times here on this site in fact (because I post AC), & even by well-known sites (e.g. arstechnica) + their personnel (which astounded me, but that's THEIR "Geek Angst" working against them is all - they most likely regret it later I imagine).... apk

Ad homimem attacks & off topic trolling? Pleas

"Judging by how he didn't respond to your idiotic statements at the end of his column I would guess that he's far too busy to deal with someone who's clearly taking trolling to a professional level." - by Anonymous Coward on Wednesday February 23, @02:43PM (#35292950)

Like yourself off topic here the whole time?

Thor COULDN'T respond... when I used the example of Spybot "Search & Destroy" altering a HOSTS file (albeit for the GOOD of others), & yet, he doesn't list it as a malware? It showed how much Thor SCHMUCK knew (zero).

I asked him also why PING is not listed... it can issue a PING OF DEATH (or could on various distros/OS over time)... funny he shut up there too, eh??

THOR SCHMUCK IS A 1/2 WIT WITH NO DEGREE IN COMPUTER SCIENCE TRYING TO PLAY "EXPERT" ONLINE, PERIOD... & IT BACKFIRED IN HIS FACE WHEN HE TRIED ME IS ALL!

(Ty Tymkovich took him for $5,000 too, lol, hiliarious!)

---

"Maybe if you'd work as hard at your software as you do at being a douche bag then your (cr)apps wouldn't have ended up on the malware lists" - by Anonymous Coward on Wednesday February 23, @02:43PM (#35292950)

My software's & work in it have done well for me... here is a partial list (in addition to the apps I showed from techpowerup here in this very exchange too):

---

Windows NT Magazine (now Windows IT Pro) April 1997 "BACK OFFICE PERFORMANCE" issue, page 61

(&, for work done for EEC Systems/SuperSpeed.com on PAID CONTRACT (writing portions of their SuperCache program increasing its performance by up to 40% via my work) albeit, for their SuperDisk & HOW TO APPLY IT, took them to a finalist position @ MS Tech Ed, two years in a row 2000-2002, in its HARDEST CATEGORY: SQLServer Performance Enhancement).

WINDOWS MAGAZINE, 1997, "Top Freeware & Shareware of the Year" issue page 210, #1/first entry in fact (my work is there)

PC-WELT FEB 1998 - page 84, again, my work is featured there

WINDOWS MAGAZINE, WINTER 1998 - page 92, insert section, MUST HAVE WARES, my work is again, there

PC-WELT FEB 1999 - page 83, again, my work is featured there

CHIP Magazine 7/99 - page 100, my work is there

GERMAN PC BOOK, Data Becker publisher "PC Aufrusten und Repairen" 2000, where my work is contained in it

HOT SHAREWARE Numero 46 issue, pg. 54 (PC ware mag from Spain), 2001 my work is there, first one featured, yet again!

Also, a British PC Mag in 2002 for many utilities I wrote, saw it @ BORDERS BOOKS but didn't buy it... by that point, I had moved onto other areas in this field besides coding only...

Being paid for an article that made me money over @ PCPitstop in 2008 for writing up a guide that has people showing NO VIRUSES/SPYWARES & other screwups, via following its point, such as THRONKA sees here -> http://www.xtremepccentral.com/forums/showthread.php?s=ee926d913b81bf6d63c3c7372fd2a24c&t=28430&page=3

Lastly, lately (this year)?

It's also been myself helping out the folks at the UltraDefrag64 project (a 64-bit defragger for Windows), in showing them code for how to do Process Priority Control @ the GUI usermode/ring 3/rpl 3 level in their program (good one too), & being credited for it by their lead dev & his team... see here ->

http://ultradefrag.sourceforge.net/handbook/Credits.html

---

Plus, your calling me "douchebag"? Please... lol! You're not only an off topic troll, but also an ad hominem attack using one too! Poor showing...

APK

P.S.=>

"Nope, not Thor." - by Anonymous Coward on Wednesday February 23, @02:43PM (#35292950)

Yea, "right" (sarcasm

LOL, nope (U guys call me that here)... apk

"Ugh, it's the Hosts File troll again." - by Anonymous Coward on Wednesday February 23, @02:45PM (#35292968)

LOL, you guys like to "troll me" ad hominem attack style & call me that, but...

The OP/parent poster on HOSTS files? It's not me... too many technical mistakes (e.g. hosts.txt, no filetype extension's on HOSTS), for one thing... & his using P2P, though not IMPOSSIBLE, is not the way to update a HOSTS file... . Logon scripts or tools like HOSTSMAN are better imo!

I offered/noted other ways, from reputable & reliable sources, all thru this thread.

APK

P.S.=> NOW, lastly, in closing:

The funniest part of all this is that whatever I posted in favor of HOSTS file here, that overturned the "naysayers" here, & made them have to resort to "off topic" trolling &/or adhominem attacks directed MY way... rather than disputing & disproving my points (as I did to theirs, for THEIR OWN GOOD, and the GOOD OF OTHERS (misinforming others is NOT cool is why)) seems to have done its job - how can I say that? Easy: The fact you're AD HOMINEM ATTACKING ME, or trying to (wrong guy though) shows us all that much... apk

Ad hominem off topic the "best you got"? Grow up

"BTW, I am an Internet PSEUDODOCTOLOGIST with my PHD from the Arsclan University and I'm fully qualified to diagnose you as BAT SHIT crazy. Though I have a feeling I'm not the only one who has told you that, am I? ( = - by Anonymous Coward on Wednesday February 23, @03:01PM (#35293078)

Please: Grow up.

APK

P.S.=> When you calm down, I wish you'd look at the stupidity in your post, off topic & ad hominem attack nature of it especially... it makes you look silly + immature, & only makes my points stronger for it.

After all - when you're "forced" to go "off topic" & to ad hominem attack a poster? You've lost... badly! That's attacking "the man", not his technical points... that's a logical fallacy on YOUR part! apk

Re:Ad homimem attacks & off topic trolling? Pl

This is fun. I legitimately have time on my hands to waste, clearly someone of your importance and intellect has much better things to do than to entertain the likes of me. I'm a complete NOBODY and have ruffled your feathers, haven't I? I find it especially laughable that you compare yourself to the likes of Sofer and Russinovich. I've used your reg clean tool and it's not even close to the capabilities/functionalities/variabilities of Juoni Vuorio's jv16 Power tools.

You MAY have been cool in 1997 but those days are over, momma's boy. Better check the batteries in your pillminder...you've missed a dose.

Re:Ad hominem off topic the "best you got"? Grow u

Never at any point did I say I was attacking your technical points. I am talking to you. You, Alexander Peter (petey) Kowalski. I've been watching your posts for a long time and have seen you get banned from technical forum after technical forum. I counted FIVE in just 30 minutes of looking. Lemme guess...you proved them ALL wrong with your superior intellect and logic bombs and they just couldn't respond any other way than to BAN you! You might even be correct in SOME of your arguments, but you're such a dick in the way you do it no one cares to give you credit.

The common denominator in all of those instances is YOU, Petey. Stop trying to hard to be right all the time and maybe, just maybe, you'll be able to make and keep a friend or two.

P.S.=> This is my last post...I have some actual work to do now. I'm sure you'll keep going, but just remember: The LAST word isn't always the RIGHT word.

Re:Ad homimem attacks & off topic trolling? Pl

"I'm a complete NOBODY and have ruffled your feathers, haven't I? " - by Anonymous Coward on Wednesday February 23, @03:19PM (#35293236)

No... what gives you THAT idea? I am having fun shooting you down on every "off topic" ad hominem attack you make, easily... it's actually FUN, but, too easy to do.

---

"I've used your reg clean tool and it's not even close to the capabilities/functionalities/variabilities of Juoni Vuorio's jv16 Power tools." - by Anonymous Coward on Wednesday February 23, @03:19PM (#35293236)

LOL - funny you mention that tool:

He does "OK" work, but?

Well, hate to point out the OBVIOUS here, but:

I don't see anything he did go & take a FINALIST SPOT over at Microsoft Tech Ed 2000-2002 for instance as my work had on PAID contract for EEC Systems/SuperSpeed.com though...

(& certainly NOT before I had achieved that type of "fame" or whatever you call it... was just decent work to me!)

---

"This is fun.." - by Anonymous Coward on Wednesday February 23, @03:19PM (#35293236)

Making you look like a fool? Absolutely. I am having fun doing it... as it is just "too, Too, TOO EASY - just '2EZ'"...

(Especially since you have to go "off topic" & ad hominem attack me, rather than stay on the topic of HOSTS files here)

---

"I legitimately have time on my hands to waste, clearly someone of your importance and intellect has much better things to do than to entertain the likes of me.." - by Anonymous Coward on Wednesday February 23, @03:19PM (#35293236)

Thank you for the compliments. I am entertaining myself here though, blowing an off topic ad hominem attack using troll like you easily...

---

"I find it especially laughable that you compare yourself to the likes of Sofer and Russinovich." - by Anonymous Coward on Wednesday February 23, @03:19PM (#35293236)

Well, Nir knows me from email, & he does a good set of smallish "power tools" type apps... I like the guy! We've talked many a time in email etc. (ask him yourself).

Dr. Russinovich?

He & I used to work for the SAME company in the mid to late 1990's in fact...

Additionally - I have actually CORRECTED HIS WORK FOR HIM BEFORE (ask him about PageDefrag)...

Dr. Russinovich even THANKED me in email for that one (he hardcoded stuff, I was amazed... but, that shows you that a PHD after your name, does NOT guarantee perfection or smarts all the time either).

APK

P.S.=>

"You MAY have been cool in 1997 but those days are over, momma's boy. Better check the batteries in your pillminder...you've missed a dose." - by Anonymous Coward on Wednesday February 23, @03:19PM (#35293236)

Well, I have done well over time in shareware, freeware, open source, & commercially sold apps, per the lists I put up of that as evidence (only partial lists too)... have you, ever?

POINT-BLANK: You're a NEVER WAS/NEVER WILL BE... period.

This "momma's boy" stuff, what's THAT about? I live on my own & own my own home + rental properties too... heck, if I don't want to? It's to the point I don't even HAVE TO WORK ANYMORE even... & live a decent life still! apk

Grow up troll

"Never at any point did I say I was attacking your technical points. I am talking to you." - by Anonymous Coward on Wednesday February 23, @03:29PM (#35293318)

Thanks for admitting you're what my subject above states you are... you prove it, for me. No effort...

----

"I've been watching your posts for a long time" - by Anonymous Coward on Wednesday February 23, @03:29PM (#35293318)

Well, well: I have a stalker here, not a first... & one that likes to go off topic & ad hominem attack me (failing on every point he makes no less, lol).

---

"and have seen you get banned from technical forum after technical forum" - by Anonymous Coward on Wednesday February 23, @03:29PM (#35293318)

That's because I keep my regular name (usually APK as I sign off here as), & don't change it to 50 diff. ones over time (like you most likely do, since you post AC here and don't even put up initials for us to id you by).

Bans? You haven't LIVED until you've been banned, imo... why?? Because when all a forums has is BANNING someone, rather than disproving things they said on a tech level???

It's like your ad hominem attacks & off topic trolling here: It's a last resort of the defeated...

APK

P.S.=>

"This is my last post...I have some actual work to do now. I'm sure you'll keep going, but just remember: The LAST word isn't always the RIGHT word." - by Anonymous Coward on Wednesday February 23, @03:29PM (#35293318)

Well, I have trouble believing you'll stick by that, but we'll see... & when I get that "last word"? It's usually RIGHT, technically right... so much so, it forces trolls like you into ad hominem name tossing attacks & off topic b.s. as you have shown us! lol... too easy! apk

Re:Grow up troll

And this year's most trollable person award and the corollary, most replay value in a trolling game, goes to... APK, for taking every last little bit of troll bait hook, line and sinker!

Speech! Speech! Speech!

Maybe you should take life less seriously! Guten tag! :D

Re:Many companies avoid using networked nameserver

[socsoc]

Have you started looking for a newer wife?

Re:Can't you read? I wouldn't USE P2P to update HO

Just use napster or something, duh. APK

Re:Many companies avoid using networked nameserver

I'm actually the Unreasonable Optimization troll (you might remember me from "many businesses code their webpages in C++") but I thought I'd try dabbling in Hosts today. I'm making a note here, huge success.

Clarifications to cve-2011-0414 ....

[BarryRGreene]

(reference https://www.isc.org/software/bind/advisories/cve-2011-0414)

* As Larissa pointed out, this security advisory used ISC's phased disclosure process (see http://www.isc.org/security-vulnerability-disclosure-policy). The US CERT advisory stated they notified ISC on 2011-01-24. This is reversed. US CERT and all other National CSIRT Teams were notified at the same time (Feb 15th). We just recently added the step in our disclosure process to notify all National CSIRT Teams listed on first.org.

* US-CERT threw in the "2011-01-24" thinking the discovery of the vulnerability matched the time we asked for our next batch of CVE numbers. In this case, this vulnerability was discovered by Neustar, who found the initial defect, and JPRS, who built the feasible lab exploits. That was all in Feb 2011, not Jan 2011.

* The "high severity" is based on the CVSS _BASE_ Score of 7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C). Network operators would use this CVSS base score and then run the Environmental and Temporal Score to get a CVSS actionable score. This is why you saw a low score from US CERT so low. They used their proprietary full metric, which scored it lower. Vendors are encouraged to use CVSS so the operator then takes accountability to gauge the risk specific to their environment.

Check out http://www.first.org/cvss/ for more information on CVSS. ISC has recently started using CVSS for all our security advisories (see http://www.isc.org/announcement/iscs-has-adopted-cvss-our-security-advisories).

* DNS Operational Risk and Reaction to any DNS issue is best addressed via DNS-OARC. If your DNS is critical, I recommend, as a minimum, to sign on to the public BIND forums (see https://lists.isc.org/mailman/listinfo) and the public DNS-OARC forums (see https://www.dns-oarc.net/oarc/services).

You can quit IMPERSONATING me... apk

Look at the title of YOUR reply, since it was the one I put up... lol: It PROVES that I don't recommend P2P, period & that proves it for me, & that means tools like napster... not "too smart" of you now, was it? Nope!

"Just use napster or something, duh. APK" - by Anonymous Coward on Wednesday February 23, @04:52PM (#35294130)

First: You don't post @ ALL like I do...

I.E.-> Not enough material!

(As I am, admittedly, QUITE often MUCH more "wordy" due to detail, examples, & quoting others I use, & I quote others 9/10 times too, so I address their points, point-by-point... it works!)

Secondly: No paragraphs from you either!

(Yes... poor attempt @ impersonation of myself!)

---

Lastly, in case you didn't notice? The title of your post IS PROOF I DON'T RECOMMEND USING P2P SYSTEMS! & napster? It's P2P... & last I knew? Dead, or commercialized as well too!

APK

P.S.=> Now, the saying is "IMITATION IS THE SINCEREST FORM OF FLATTERY"... well, not when the imitation sucks, & tries to put words into MY mouth I don't agree with, or never stated (complete w/ the stupidest mistake of all - I rarely use the same title in reply, and napster, as I noted just above? Is P2P & the title of the impersonators' post has my proof of that alone!)

(After all & above ALL else - I have repeatedly stated not to use P2P to update a HOSTS file, here you fool... did you think others would not notice that also??)... apk

Re:He made some minor mistakes, I corrected him so

[geogob]

I don't know how many readers Slashdot has these days, but I bet many of them have one elbow on their desk and the palm of their hand on their forehead reading this. I really don't get your agenda either (assuming you are not the AC or in league with the AC that opened this particular topic...). You are simply stating the obvious, but also something utterly impractical in incompatible with the architecture of the Internet. And I'm not even getting started on the basic flaw of your suggested "alternative", which reside in the initial generation of the host file.

Am I aware of those things? Seriously?

If you do work in IT and are dealing with systems to sensitive to the point where doing DNS request is too risky, I would ask myself serious questions if I were you. Those systems should probably not be linked on the Internet in the first place.

127.0.0.1, vs. 0.0.0.0, or even "0"... apk

"Spybot Search & Destroy adds about 15,000 entires to hosts that point to 127.0.0.1" - by Bacon Bits (926911) on Wednesday February 23, @12:41PM (#35291674)

1 problem w/ that: It's SLOWER to read, line-by-line, than using 0.0.0.0 & ALL text files get read in line by line - no escaping it.

(Which is, itself, in the latter EVEN SLOWER than 0, which is STILL LEGIT TO USE in Windows 2000 (has been there, since SP #2 for it iirc), XP, & SERVER 2003... but was removed on 12/09/2008 SP #1 for VISTA onwards, strangely!)...

0.0.0.0 is JUST AS COMPATIBLE as 127.0.0.1 really, but smaller & FASTER!

(Thus, it's better in MOST instances, for performance' sake!)

Sure: FileSystems haul stuff in @ 4k at a pop, & so does memmgt in Windows... but you STILL have to read in file entries, line by line & EVERYTHING is a file (even things like screen device contexts you draw on) in modern OS (even past older ones too, as a way to "abstract" things).

Problem here? Well, 127.0.0.1, line by line in a HOSTS file, creates a LARGER FILE than does 0.0.0.0 or 0, by QUITE a lot!

E.G. from my current HOSTS file, w/ 936,000++ entries:

---

127.0.0.1= 28mb in size

0.0.0.0 = 25mb in size

0 = 20mb in size

---

(See my point? Math makes it simple enough)

You guys have to remember: The HOSTS file is read into either your:

1.) Local DNS client cache (on Windows, & it's really an ANTIQUATED INFLEXIBLE HUNK OF JUNK)

or

2.) Your local Diskcache (if you use larger HOSTS files, you MUST turn off the junk I noted in #1 (the local DNS Client Cache)), or you'll "lag" to hell!

Shit design is why... The DNS has a C/C++ "structure" it uses, & it's obviously NOT reading into a queue, but, rather a fixed size buffer... has to be, due to the problem I note above.

---

"which might fail safer than a null route. It amounts to the same thing." - by Bacon Bits (926911) on Wednesday February 23, @12:41PM (#35291674)

Not really "same thing", see above... & I had debated this with ForeDecker before & he conceded that to me (he's Microsoft's Senior Mgt. in their "Windows Client Performance Division" in fact, or was (I *think* he changed titles recently though, what w/ the mgt. shakeup Ballmer's creating over @ MS (keeping techie types, & ForeDecker does have his B.S. in CSC afaik too))).

One place where 127.0.0.1 (your loopback adapter address) is important?

Web Servers...

So, if you're doing one, use it (especially for localhost).

Still - Technically, IF you're not on a network? You don't even REALLY NEED a hosts file @ all!

APK

P.S.=> The HOSTS file? It's just that it's one HELL of a versatile tool for speed, security, & even ADDED "anonymity" online & FREE TOO... its a clear-cut case of "oldschool still RULES"... apk

DEFINE "alternative" & "init. generation", tha

"I don't know how many readers Slashdot has these days, but I bet many of them have one elbow on their desk and the palm of their hand on their forehead reading this" - by geogob (569250) on Wednesday February 23, @06:53PM (#35295332)

LOL, well... maybe: However, I *think* you may be "under-estimating" them, just a WEE bit... lol!

---

"I really don't get your agenda either (assuming you are not the AC or in league with the AC that opened this particular topic...). " - by geogob (569250) on Wednesday February 23, @06:53PM (#35295332)

No, no way am I he man... he made TOO many "screwups"... his idea, IN PRINCIPAL, is doable, but impractical as there are BETTER WAYS TO UPDATE A HOSTS FILE (hostsman, or just downloading them directly, from reputable sources).

---

"You are simply stating the obvious" - by geogob (569250) on Wednesday February 23, @06:53PM (#35295332)

That HOSTS files make one go FASTER, & SAFER ONLINE? Absolutely... I agree. I am surprised MORE folks don't use them but their loss: After all - it's YOUR MONEY you spend to be online, why not get the most, & safest way, out of it??

(Boggles the mind, but, there you are...)

---

"but also something utterly impractical in incompatible with the architecture of the Internet" - by geogob (569250) on Wednesday February 23, @06:53PM (#35295332)

I think you'd best tell that to folks like MVPS.org then... because they produce a widely known & effective HOSTS file for both added speed online, & added security.

(Mine's all of theirs & current, + around 7-8 other valid sources too in fact)

It's VERY practical to go FASTER online, & SAFER TOO... & be "proof" vs. bugs & hacks/cracks/exploits of DNS (per this article & many others like it the past 2-4 yrs. alone).

---

"And I'm not even getting started on the basic flaw of your suggested "alternative", which reside in the initial generation of the host file." - by geogob (569250) on Wednesday February 23, @06:53PM (#35295332)

Explain this... what do you mean "alternative" &/or "initial generation"??

Thanks!

APK

---

" - by geogob (569250) on Wednesday February 23, @06:53PM (#35295332)

Look Everyone: It's the "man with no balls"

Who posts and trolls others as Anonymous Coward.

Theatrical

Natalie Portman and True Grits

What a complete little punk you are

"Maybe you should take life less seriously!" - by Anonymous Coward on Wednesday February 23, @11:22PM (#35296738)

Again: Grow up, & realize something, you little punk: Life IS serious!

APK

P.S.=>

"And this year's most trollable person award and the corollary, most replay value in a trolling game, goes to... APK, for taking every last little bit of troll bait hook, line and sinker! Speech! Speech! Speech!" - by Anonymous Coward on Wednesday February 23, @11:22PM (#35296738)

I'll tell you 1 thing I've noticed about you, straight off: You're a ball-less little punk. I know "your kind", as does anyone else here - you're most likely some little whimp that's had his ass kicked SO many times in the "real world" (not online) that your only sense of "power" comes out here, where nobody will stomp the life out of your behind for how you act (juvenile asshole that you are)...

Fact is, I'd almost bet I am 100% correct here too! apk

The PHATBOY award goes to

"The InCrEdiBLe FaTBoY"

http://userserve-ak.last.fm/serve/126/26720893.jpg

Otherwise known as Americano (alias Kevin B. Pease)

Re:DEFINE "alternative" & "init. generation",

[geogob]

I don't think it's worth the energy to debate... your mind is clearly set. But I will at least answer your question. By "alternative", I meant "alternative to the use of DNS" (understand, local host override). By "initial generation" I mean the generation of the host file (regardless if it's done by you or, worse, by someone else). You can't deny that domain name poisoning is really critical at this stage. You only need to have someone malicious having access to your host housekeeping scripts or to one of your "trusted" host file source and you opened him the door to a goldmine.

You're confusing ME w/ the OP, AGAIN!!! apk

"I don't think it's worth the energy to debate... your mind is clearly set." - by geogob (569250) on Thursday February 24, @03:16AM (#35297668)

My mind's set on 1 thing, because it's how it is: I never said anything about "alternative" and "intial generation"... that's the OP. I am not he.

(Again, you're getting confused (again)...!)

---

"You can't deny that domain name poisoning is really critical at this stage." - by geogob (569250) on Thursday February 24, @03:16AM (#35297668)

OH... You mean like is happening to DNS per this article? Yes, I can actually!

---

"You only need to have someone malicious having access to your host housekeeping scripts" - by geogob (569250) on Thursday February 24, @03:16AM (#35297668)

I don't use scripts to maintain mine. Again, your point, is "moot"... Plus, my system hasn't been compromised, ever, since oh... 1993/1994, MAYBE??

---

"or to one of your "trusted" host file source" - by geogob (569250) on Thursday February 24, @03:16AM (#35297668)

I don't use only 1 source & I verify them as I put them into the file... there are many sources for that verification also!

APK

P.S.=> Above ALL else here though: YOU ARE, onc e again, GETTING MYSELF CONFUSED WITH THE OP! I am NOT he, I never said what he did... period!

In fact, I corrected he on a few points even!... apk